WP Beacon

FolioVision

@foliovision · wordpress.org profile ↗
Member since
2007-04-18
Location
Bratislava
Employer
Foliovision
Job title
Developers
Authored
28 (9 closed)
SVN commit access
14
Readme contributor
0
Combined install base
48k+ across 28 plugins

Alerts (0)

No open alerts.

Show 4 resolved alerts
Critical code_scan_match FV Flowplayer Video Player Resolved · dead_endpoint_or_gated 17d ago
Slugfv-wordpress-flowplayer
Finding count1
Findings
PatternKindFileLineSnippetConfidence
unserialize_after_remote_callbuiltinincludes/fp-api-private.php381L371: $raw_response = wp_remote_post( $this->strPrivateAPI, $request ); → L381: $response = @unserialize( preg_replace( '~^/\*[\s\S]*?\*/\s+~', '', $raw_responshigh
Resolved sha28641141fc4be13117ae150b04ac279035fccf01
View raw JSON
{
    "slug": "fv-wordpress-flowplayer",
    "finding_count": 1,
    "findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/fp-api-private.php",
            "line": 381,
            "snippet": "L371: $raw_response = wp_remote_post( $this->strPrivateAPI, $request );  \u2192  L381: $response = @unserialize( preg_replace( '~^/\\*[\\s\\S]*?\\*/\\s+~', '', $raw_respons",
            "confidence": "high"
        }
    ],
    "resolved_sha": "28641141fc4be13117ae150b04ac279035fccf01"
}
Critical code_pattern FV Player 8 Resolved · benign_architectural_concern 22d ago
Slugfv-player
Patternunserialize_after_remote_call
Kindbuiltin
Version8.1.4
Hit count1
First hit
File
includes/fp-api-private.php
Line
249
Snippet
L239: $raw_response = wp_remote_post( $this->strPrivateAPI, $request ); → L249: $response = @unserialize( preg_replace( '~^/\*[\s\S]*?\*/\s+~', '', $raw_respons
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "fv-player",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "8.1.4",
    "hit_count": 1,
    "first_hit": {
        "file": "includes/fp-api-private.php",
        "line": 249,
        "snippet": "L239: $raw_response = wp_remote_post( $this->strPrivateAPI, $request );  \u2192  L249: $response = @unserialize( preg_replace( '~^/\\*[\\s\\S]*?\\*/\\s+~', '', $raw_respons"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}
Critical code_pattern FV Flowplayer Video Player Resolved · benign_architectural_concern 22d ago
Slugfv-wordpress-flowplayer
Patternunserialize_after_remote_call
Kindbuiltin
Version7.5.49.7212
Hit count1
First hit
File
includes/fp-api-private.php
Line
397
Snippet
L387: $raw_response = wp_remote_post( $this->strPrivateAPI, $request ); → L397: $response = @unserialize( preg_replace( '~^/\*[\s\S]*?\*/\s+~', '', $raw_respons
Explanationa remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file — classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised.
View raw JSON
{
    "slug": "fv-wordpress-flowplayer",
    "pattern": "unserialize_after_remote_call",
    "kind": "builtin",
    "version": "7.5.49.7212",
    "hit_count": 1,
    "first_hit": {
        "file": "includes/fp-api-private.php",
        "line": 397,
        "snippet": "L387: $raw_response = wp_remote_post( $this->strPrivateAPI, $request );  \u2192  L397: $response = @unserialize( preg_replace( '~^/\\*[\\s\\S]*?\\*/\\s+~', '', $raw_respons"
    },
    "explanation": "a remote HTTP fetch (`wp_remote_*` / `curl_exec`) is followed by `@unserialize` within the same file \u2014 classic PHP Object Injection C2 gadget. The error-suppressed form is the tell: legit code wants to know when deserialize fails; attackers suppress so malformed gadgets do not leak. A real finding regardless of author intent: any plugin that deserializes remote responses without validation is a latent RCE chain if the remote endpoint is ever compromised."
}
Critical code_scan_delta FV Flowplayer Video Player Resolved · false_positive_cdn_known_good 22d ago
Slugfv-wordpress-flowplayer
Previous version7.5.49.7212
Current version7.5.49.7212
New findings
PatternKindFileLineSnippetConfidence
unserialize_after_remote_callbuiltinincludes/fp-api-private.php397L387: $raw_response = wp_remote_post( $this->strPrivateAPI, $request ); → L397: $response = @unserialize( preg_replace( '~^/\*[\s\S]*?\*/\s+~', '', $raw_responshigh
New finding count1
View raw JSON
{
    "slug": "fv-wordpress-flowplayer",
    "previous_version": "7.5.49.7212",
    "current_version": "7.5.49.7212",
    "new_findings": [
        {
            "pattern": "unserialize_after_remote_call",
            "kind": "builtin",
            "file": "includes/fp-api-private.php",
            "line": 397,
            "snippet": "L387: $raw_response = wp_remote_post( $this->strPrivateAPI, $request );  \u2192  L397: $response = @unserialize( preg_replace( '~^/\\*[\\s\\S]*?\\*/\\s+~', '', $raw_respons",
            "confidence": "high"
        }
    ],
    "new_finding_count": 1
}

Plugins authored (28)

Plugin Version Installs Last updated Status
FV Top Level Categories ·fv-top-level-cats 1.9.1 20k+ 8mo ago Active
FV Flowplayer Video Player ·fv-wordpress-flowplayer 7.5.50.7212 20k+ 18d ago Active
FV Clone Screen Options ·fv-clone-screen-options 0.5 2k+ 1y ago Active
FV Simpler SEO ·fv-all-in-one-seo-pack 1.9.7 2k+ 5mo ago Active
FV Player 8 ·fv-player 8.1.4 1k+ 2mo ago Active
FV Antispam ·fv-antispam 2.8 900 6mo ago Active
FV Gravatar Cache ·fv-gravatar-cache 0.5 700 1y ago Active
WP Mail SMTP SendGrid Edition ·wp-mail-smtp-sendgrid-edition 1.4.0 500 1y ago Active
Foliopress WYSIWYG ·foliopress-wysiwyg 2.6.19 200 17d ago Active
FV Thoughtful Comments ·thoughtful-comments 0.4.1 80 1y ago Active
FV Descriptions ·fv-descriptions 1.9.7 60 5mo ago Active
Subscribe to Comments Reloaded Better Unsubscribe ·subscribe-to-comments-reloaded-better-unsubscribe 0.9.8 40 9y ago Active
BusinessPress ·businesspress 1.5 40 3mo ago Active
Filled In ·filled-in 1.9.6 20 5mo ago Active
FV Feedburner Replacement ·fv-feedburner-replacement 0.4.3 20 7y ago Active
FV Swiftype ·fv-swiftype 0.3.8 10 4y ago Active
FV Testimonials ·fv-testimonials 1.13 10 9y ago Active
Typewriter ·typewriter 1.0 10 12y ago Active
FV bbPress Tweaks ·fv-bbpress-tweaks 0.2.7.4 10 7y ago Active
foliovision-clone-screen-options ·foliovision-clone-screen-options Closed
filled-in-which-works ·filled-in-which-works Closed
FV WP Link Robot ·wp-link-robot 0.6.11 Closed
fv-forms ·fv-forms Closed
FV Simpler SEO Pack ·fv-simpler-seo-pack 1.6.8 Closed
Please remove this one ·fv-top-level-categories Closed
fv-universal-thumbnailer ·fv-universal-thumbnailer Closed
fv-video-player ·fv-video-player Closed
seo-images ·seo-images Closed

SVN commit access (14)

Plugins this account has pushed commits to, reconstructed from plugins.svn.wordpress.org. A new name showing up here on an established plugin is the strongest ownership-transfer signal.

Plugin Primary author Installs Commits First Latest Status
FV Flowplayer Video Player foliovision 20k+ 500 10y ago 18d ago Active
FV Simpler SEO foliovision 2k+ 115 16y ago 5mo ago Active
BusinessPress foliovision 40 98 10y ago 3mo ago Active
FV Thoughtful Comments foliovision 80 86 16y ago 1y ago Active
FV Antispam foliovision 900 80 15y ago 6mo ago Active
FV Player 8 foliovision 1k+ 57 1y ago 2mo ago Active
Filled In foliovision 20 54 14y ago 5mo ago Active
FV Top Level Categories foliovision 20k+ 48 15y ago 8mo ago Active
FV Gravatar Cache foliovision 700 48 15y ago 1y ago Active
FV Clone Screen Options foliovision 2k+ 33 16y ago 1y ago Active
FV Descriptions foliovision 60 32 16y ago 5mo ago Active
Subscribe to Comments Reloaded Better Unsubscribe foliovision 40 23 12y ago 9y ago Active
WP Mail SMTP SendGrid Edition foliovision 500 10 8y ago 1y ago Active
Foliopress WYSIWYG foliovision 200 1 16y ago 17d ago Active